Blackbone icon indicating copy to clipboard operation
Blackbone copied to clipboard

Published 20 hours ago verified publisher icon DarthTon

Add check, when ZwAllocateVirtualMemory == STATUS_DYNAMIC_CODE_BLOCKED

Open Kosmonit opened this issue 3 years ago • 1 comments

Comrades, thanks for the cool project!

There are several errors that I have found. Please make changes to the code.

Functions BBGetWow64Code() and BBGetNativeCode() (in file Inject.c) may return 0. It happens when: status = ZwAllocateVirtualMemory == STATUS_DYNAMIC_CODE_BLOCKED Please add check, I did it like this:

[Inject.c]

...

    SIZE_T size = 0;
    PINJECT_BUFFER pUserBuf = isWow64 ? BBGetWow64Code( LdrLoadDll, &ustrPath ) : BBGetNativeCode( LdrLoadDll, &ustrPath );

    //////////////////////////////////////////////////////////////////////////
    // MY_PATCH
    //////////////////////////////////////////////////////////////////////////
    // Failed allocate memory
    if (pUserBuf == NULL)
    {
      pData->type = -1;
      status = STATUS_DYNAMIC_CODE_BLOCKED;
    }
    //////////////////////////////////////////////////////////////////////////

...

    else if (pData->type == IT_Apc)
    {
        status = BBApcInject( pUserBuf, pProcess, pData->initRVA, pData->initArg );
    }
    //////////////////////////////////////////////////////////////////////////
    // MY_PATCH
    //////////////////////////////////////////////////////////////////////////
    else if (pData->type == -1)
    {
      DPRINT("[BlackBone][-] Failed injection process return - STATUS_DYNAMIC_CODE_BLOCKED \n");
    }
    //////////////////////////////////////////////////////////////////////////
    else
    {
        DPRINT( "BlackBone: %s: Invalid injection type specified - %d\n", __FUNCTION__, pData->type );
        status = STATUS_INVALID_PARAMETER;
    }

...


                __except (EXCEPTION_EXECUTE_HANDLER)
                {
                    DPRINT( "BlackBone: %s: Exception during PE header erease: 0x%X\n", __FUNCTION__, GetExceptionCode() );
                }
            }
        }

        //////////////////////////////////////////////////////////////////////////
        // MY_PATCH
        //////////////////////////////////////////////////////////////////////////
        if (pUserBuf)
          ZwFreeVirtualMemory( ZwCurrentProcess(), &pUserBuf, &size, MEM_RELEASE );
        //////////////////////////////////////////////////////////////////////////
    }

Kosmonit avatar Oct 01 '21 07:10 Kosmonit

Thank you

Fplyth0ner-Combie avatar Nov 07 '21 09:11 Fplyth0ner-Combie